Hypothetical Question: If Bugs Aren't Worth Fixing

A straightforward question arises: You are a software company that makes a web browser. After a given update, your browser is no longer capable of executing Unicode within a text-input field. Why is this not a problem that requires a solution? That is to say, why would you not fix this?

And so we wait on yet another update to see if they've gotten around to it.

There are questions about Flash layers and the rising HTML5 overkill, of course, which only begs the question of other software manufacturers: Why are you using this buggy software apparently built around a schizophrenic flow chart?

No, seriously, last year almost all of my social media went south; Twitter is about the only one that hasn't gone completely useless. But some of that is simply pushing too hard with HTML5 while the flow chart is clueless. In the case of one of the most prominent internet browsers, though, collapsing under the weight of Unicode is simply unacceptable, except for the fact that the manufacturer seems just fine with it.

Google AdSenseGuest Advertisement

Unicode is a character formatting language, not an executable. It allows a far broader alphabet (think all those funny picture languages) than ASCII does. There is more than one flavor of unicode, not all do the same things, some are even variable character length in bytes.
Supporting it all is difficult, since especially variable-length characters need to be parsed out one by one and you can't just go into a buffer and pick out the nth one without decoding all the ones before the one you want to even know where it is. This is error-prone and may cause a bug which becomes a security issue, and it's hard to test with the larger universe of character definitions that unicode brings with internationalization.

Of course, you might just have an ill-formed question, since you mentioned execution. That's like saying "execute the alphabet". Display != execution!

Google AdSenseGuest Advertisement

KittamaruAshes to ashes, dust to dust. Adieu, Sciforums.Valued Senior Member

Unicode is a character formatting language, not an executable. It allows a far broader alphabet (think all those funny picture languages) than ASCII does. There is more than one flavor of unicode, not all do the same things, some are even variable character length in bytes.
Supporting it all is difficult, since especially variable-length characters need to be parsed out one by one and you can't just go into a buffer and pick out the nth one without decoding all the ones before the one you want to even know where it is. This is error-prone and may cause a bug which becomes a security issue, and it's hard to test with the larger universe of character definitions that unicode brings with internationalization.

Of course, you might just have an ill-formed question, since you mentioned execution. That's like saying "execute the alphabet". Display != execution!

Click to expand...

Except in some ways it seems it can - for example, embedding a virus in a .jpg image in a sidebar advertisement - this attack vector was used somewhat often a few months ago on social-media websites, such as DeviantArt.

Google AdSenseGuest Advertisement

Errors like that are exploits in a flaw in the code that handles decoding the bitstream into an image. Quite often the bad guys use stack or buffer overflows that aren't cleaned up or are allowed to pass into memory that the program doesn't "know" it can access. Then later in the "image", an instruction is pointed to in the memory outside the range of the originally reported size (of the image), and is then executed.

KittamaruAshes to ashes, dust to dust. Adieu, Sciforums.Valued Senior Member

Errors like that are exploits in a flaw in the code that handles decoding the bitstream into an image. Quite often the bad guys use stack or buffer overflows that aren't cleaned up or are allowed to pass into memory that the program doesn't "know" it can access. Then later in the "image", an instruction is pointed to in the memory outside the range of the originally reported size (of the image), and is then executed.

Click to expand...

Ew... sounds like a combination of sloppy coding and lazy error reporting

I believe it's important to distinguish between two classes of issue here. As Toad said, the issue with .jpg's was a coding error - the image was data, never meant to be executed, but was due to sloppy coding, in this case the code trusing the image header info about how big the image was an allocating that much memory without checking further, then reading the entire file into that memory, whether it was larger than it claimed or not. That's a boo-boo to be sure. There are several like it out there.

Then there's plain old bad design, another whole class of issues, that *deliberately* mix code and data, so that data contains code that is *supposed* to be executed. Yes, that would be primarily Microsoft - OLE, ActiveX, COM, DCOM, but later taken up by Adobe in .pdf and flash formats (wonder why all those things that use it get cracked so often? They run your 'sploit code - on purpose, and by design. That was why my first comment was what it was. Unicode is a text description format, vulnerable to bugs like .jpg, but like jpg not intended to ever be "run" as code, though the fact that it's tricky to handle well makes handling it error-prone.

But what can you do when some software houses deliberately cross the line, with no thought to anything but adding features in complete ignorance of the most basic security principles? That sound player is *supposed* to run when I embed a .wav in my word document! Damn, I have no idea how to print that, but it's a "feature, not a bug" for those turkeys. This "feature" is why so many companies were stuck on an outdated version of internet explorer for so long - it permitted "Excel programmers" (an oxymorn IMO) to create "objects" that contained both code and data for consumption on the corporate LAN, without the bean counters having to hire actual software people with a clue about such things. It has long been a dream of the biz that you could somehow create a high enough level language that click-monkies could program in it so as to eliminate the requirement for domain specialists who say inconvenient things about stuff like "security" and "design" and "having a plan whatever". This won't be the first time a behind gets bitten by this short sighted and hubristic approach...or it could be I'm just a grumpy old guy (and am proud of what I did when I did have some power over some of this).

(had a nice unicorn barfing pic to put in, but it's on my local machine only, no url so I can't put it in here at this point - I'll have to upload it to my own web presence. There are issues either way with this policy, board peeps take note. I can link an image so huge it breaks your board if I'm willing to host it - and delete it without a trace later and break your board again. Lets me edit history, at the price of saving you a few very inexpensive bytes of storage...)

Mixing data and code was thought by every serious systems engineer to be a super bad move even before the days where we had to be concerned about security from external attackers. Remember it's a relatively new thing that you can get "hit" by someone across the world, with near-zero opportunity cost for them - in the old days, they used to have to get "in range" to punch you at some cost. Now it's free, bringing every malefactor right to the door. Truly, back in the day the mindset was "why would anyone want to break this fine thing". But most of us learned early on, those who cared to. Some others were "well, why care if MS is making tons of money dominating the market with kewl features?".

Thanks, but that's not exactly helpful. To execute Unicode, one enters a keystroke combination. Performing this action in Facebook with a particular browser in a particular operating system results in crashing the browser.

Furthermore, remember that in addition to "exectuables", everything is a file. In order to execute Unicode, one must execute a file.

Nice tiny pic. But if I'd put in a multi-megapixel, or even gigapixel picture, would this board handle it? Most won't or autoscale so you can't read the other posts on that page....FYI.

Nice wrong thing, Tiassa. Executing is done by PC CPU, or a guy with a guillotine or similar. You *enter* or *display* unicode. If your browser crashes, probably something like Javascript, poorly written, was what "executed" and then crashed, trying to figure out what to display from your keystrokes. When you go away from language usage established for many decades and say your definition is the right one, no one can communicate with you. So I won't try.

KittamaruAshes to ashes, dust to dust. Adieu, Sciforums.Valued Senior Member

Scary how uncaring these companies are... but in the end, for them, I guess it all comes down to the almighty dollar huh...

We have a situation kind of like that where I work... we use a program called Fast Track that pulls updates from a network drive by name using a launcher executable - basically, the launcher shortcut points to the network drive. The actual .exe in that drive is updated to point to the newest version by filename... and has no file validation as far as I can tell, nor does it seem to care WHERE it is pulling the file from so long as the name is correct. That scares the living daylights out of me, because it seems like it would be obscenely simple for someone with the knowledge to do so to replace the legitimate executable with one full of malicious code and the same name... and then the next poor bastard to run the launcher gets hammered...

But then again, it was discovered another site of ours has had several computers running for MONTHS with no antivirus of any sort, despite our GPO that deploys it to every domain computer automatically... *headdesk*

I've never run antivirus, even when running a small company on all-windows. We were just careful and didn't fool around on the work machines. We captured, but didn't catch a lot of viruses, and since it was a software/product dev company, we had the right tools to look inside them. There's been quite an evolution of them. (We went to linux at some point, only running windows on Virtual Box or Soft-ICE and didn't surf from windows just in time to miss the drive-by virii from internet exploder, and in fact had already quit using it).

At first, nearly all the viruses we captured were obviously amateur, and written in Borland C, since it was free at the time. Dumb kids even left in the source (eg published the debug build) complete with comments. It was more amusing to laugh at than something to be worried about.
As the years went on, we started to see more serious stuff, built with pro tools - yes, there are traces left in parts of the binary that tell what compiler was used unless you very carefully strip them out - and it was obvious some seriously pro programmers were involved. Most of this stuff was financial theft kinds of things, trying to steal your identity or logins.

Then there were the "return oriented virus" models. Any called routine (and just about everything in any opsys was called at some point) sees it's parameters on the stack - including the return address to jump to when the routine is done. By pushing parameters and return addresses of system dll functions on the stack, a virus could be done with just about no actual code - just parameters and pointers to system functions that would do the same stuff for ya. Why re-invent the wheel and leave info that makes it easy to detect it's a virus (like explicit calls to file or internet functions?). During this time, the signature-based AV community came into being. It was no longer enough to look for code patterns, as many virii {sic?] didn't even really contain code - just a list of parameters and addresses. This is at best reactive, it can never catch a zero day, as there has to be a data pattern in the AV database that matches, which can only happen after an attack has been detected, reported, analyzed and added to the DB. Ow! It was about this time we switched opsys, since AV code was "eating" our nice shiny machines cycles too badly, and we wouldn't put up with that. Don't want to start an opsys war here - could be (though it isn't ) just that linux was a less-attacked target, ignoring the fact that it was derived from an opsys that ran all the computer-campus mainfraimes, and had already lived through some much more serious fire than anything else - highly motivated smart students wanting to hack to change grades, report tuition paid and so on, and experience most opsys never had to survive.

At any rate, ASLR (address space layout randomization) kind of helped with ROP (return oriented programming). All modern opsys do that now. But at first, MS opsys' didn't, for various reasons, mainly simplicity and speed - they loaded all the dlls (which are nearly all of windows itself, as well as any shared libraries) such that they all "looked" like they were in the exact same place every time, using x86 address relocation hardware registers to make that illusion work. Saved the cycles of having to find out where say, the file copy function was in a windows DLL every time. But made it possible to write that class of virus.

And now we have our own tax dollars (and those of other countries) being used against us, and the code has gotten to be really good. When I was in the biz, at first, the number of people who could code that well was small enough you could actually know all of them. And nothing that wanted security was on the internet, as there wasn't one - I even maintained the node for ARPA on the ARPANET, long before these PC things existed. We used phone company leased lines for anything that wanted to be secure. They were and are expensive.

So, along comes the wave of MBA types, saving money and this new internet thing - now everything could be done over one cable, and believe me, even with an expensive plan, it costs a lot less than even a T1 line (even now!). And silly people allowed to program.
Example: A friend who builds ethanol plants and is an industrial distillation expert, used PLCs (programmable logic controllers) to help automate a factory he builds for a customer - turn heat up and down, open and close valves, all that kind of thing. He's not really thinking of security, that's not his field, but really, security by obscurity worked out pretty well, for awhile. No one knew either the IP address on the 'net he put this stuff on, or how to talk to any of it if they did - even though it turns out the guys who built the PLC's in the first place were also clueless themselves about security. Then someone in the C suite wants real-time monitoring of their little money maker. So they tell my pal to assign this to a subnet of the corporate IP namespace, so the CEO and such can see it - and even control it, since by the original design, the only guys who were allowed to see a PLC were the guys who might need to emergency-control it. No thought was given to clueless jerks in the C suite and what they might demand, so as to have a read-only interface for them.

Heck, PLC's even started having embedded web servers. No one was thinking anything but how can I add some shiny feature to drive more sales. And most programmers get slapped down for mentioning this kind of thing is dangerous and just do what their technically ignorant boss wants. Got a family to feed. Yeah, it comes down to bucks, for most everything, most times, one way or another, although there's also the principle of "externalizing risk" that makes it even worse. The programmer can say "it's not my fault" because that's what the boss ordered. The boss can say "it's not my fault" because security should be handled by the grunts. So you get this circle jerk of finger pointing, something I may post here on some topic regarding stupid human nature and why things are so messed up due to it.

And now, we have power plants and stuff that can do real harm, with little to no security whatever out there where anyone can ping it and send it commands, especially if (as is usual) no one changed the default passwords and logins. And now that this has happened, well, someone thought to go to the PLC manufactures and buy the service manuals and have a go - and we now have Stuxnet and its friends.

Hard to say where this will all lead in the end, but it's something even the security biz poo-pooed at first, thinking no one in their right mind would expose ANY of this to the internet in the first place, they'd all grown up in the leased-line era.

KittamaruAshes to ashes, dust to dust. Adieu, Sciforums.Valued Senior Member

Doug... can I come live with you for a few weeks/months/years... there is so much I want/could learn that going to class just doesn't seem capable of teaching! I'd love to have the hands-on experience and even more to have it guided by someone whos' been there done that" and knows his shit

I AM looking for a lab assistant. But I fear I'm not quite rich enough to hire someone for a long term, just enough for myself unless I get lucky again on something (I'm doing fusion research, self-funded, with a partner who finds equipment for me as my main gig right now, no paycheck)...I live in the "middle of nowhere" and am off-grid, and live very "close to the earth", which is why you'll generally see me here during the daytime, when my solar system has spare power to run big machines that make it easy/fun to post - and the power is falling on the ground unused if I don't use it, once the homestead batteries are charged. It's an interesting life to be sure, and one that costs so little I was able to retire around 16 years ago, young enough to enjoy carving a homestead out of bare land and starting/running a business (now closed).

I do mentor people if they ask. Some of them go on to do really cool stuff later. I really only know how to do that in person, though; and even then...well, like all humans, I have limitations and imperfect knowledge and understanding. I keep trying to overcome those limits, which is why I know a thing or two - the instant you think you've "arrived" the downfall begins.

KittamaruAshes to ashes, dust to dust. Adieu, Sciforums.Valued Senior Member

I AM looking for a lab assistant. But I fear I'm not quite rich enough to hire someone for a long term, just enough for myself unless I get lucky again on something (I'm doing fusion research, self-funded, with a partner who finds equipment for me as my main gig right now, no paycheck)...I live in the "middle of nowhere" and am off-grid, and live very "close to the earth", which is why you'll generally see me here during the daytime, when my solar system has spare power to run big machines that make it easy/fun to post - and the power is falling on the ground unused if I don't use it, once the homestead batteries are charged. It's an interesting life to be sure, and one that costs so little I was able to retire around 16 years ago, young enough to enjoy carving a homestead out of bare land and starting/running a business (now closed).

I do mentor people if they ask. Some of them go on to do really cool stuff later. I really only know how to do that in person, though; and even then...well, like all humans, I have limitations and imperfect knowledge and understanding. I keep trying to overcome those limits, which is why I know a thing or two - the instant you think you've "arrived" the downfall begins.

Living off grid... man, I'd love to do that. Then again, I'd love to just own a house instead of renting a townhome... but student loans have my debt to income so high that nobody will give a mortgage... maybe in a year or two, as we pay things down, who knows

Well, now you know why I'm here. I was a hotshot "boardroom samurai" in Wash, DC and despite being a VP of engineering, couldn't get a loan on the house I was living in (renting, the owner wanted to sell it to me) - which was about as far from the city as it got then. I freaked out - as in "what better job am I supposed to get"? and moved down here, where land was cheap - around $17k/45 acres when I bought it (it's gone up since). Now to find a way to stay alive...this is a nice place to be in - but there are almost no jobs even in a good economy, and the beer store is 13.5 miles one way. I got into debt issues in DC, but once paid down, no more of that, ever. Yes, it's cost me some instant gratification, but also taught me a lot and given me some discipline. Dunno what you mean by East Coast exactly, but I'm in VA - near the place where it necks down skinny on the west side of the triangle. It's beautiful here usually, right now it's icky-cold so I'm doing indoor stuff.

The off-grid was a thing of "if not me, then who?" rather than a particular lust for "being green". Though it's resulted in my being greener than most greenies are, it was done for freedom more than anything. I even drive an electric car off my solar! It's a cost and also tax-avoidance thing. Floyd is pretty cool (near VA Tech) and the government here likes me and leaves me alone. Not being on grid means no building permits and little property tax - that cheap thing again. Under this case, the solar system pays for itself yearly, and better yet, I don't have to sweat having an income other than a little trading here and there (barter and stock markets). Was a long hard slog to get here....

It's kind of fun when the extreme greenies want to recruit me to be the poster boy they are too wussy to become themselves...and find out I share not a lot of their views; though I do like my nature preserve, it's here because I'm a lousy farmer and let it all grow up wild.

Hope I'm here and able in a year or two - as I mentioned on my lan of things thread on my forums, I'm not getting any younger. That's why I'm doing homestead automation projects to ease my workload. Even being your own power company with a good system is still a job...
It's just not one where I kiss butt to anyone other than myself. That doesn't mean I don't have to get out and fix things whenever something breaks (or do without).

If you're actually interested, check out:
A little movie of me heading home from the nearest city. I use DCFusor as a handle online a lot, googling that will find you all kinds of interesting things.
Funny, I'd gotten a takedown notice on that video, but it's back up in my playlist again. Doubly funny, since it was from the publishing house that owns the rights to my friend, Joe Satriani's music. He, though a friend, couldn't tell them let me use his music (well..it as only on the stereo after all) because he doesn't own his own stuff anymore, outright, and would have to pay them to let me use it! A rant for another time. When we created IP, we didn't bother suing over it, by the time the other guys thought they'd caught up to the golden goose, we were many eggs ahead...that's the right way.

KittamaruAshes to ashes, dust to dust. Adieu, Sciforums.Valued Senior Member

Very very cool! I'm up in Harrisburg PA, on the outskirts... I'm about as close to the city as I could semi-comfortably get... would prefer to be a bit further from it to be honest. Not much undeveloped land around here anymore... they're buying up pretty much anything larger than an acre (and then putting a dozen or more houses on it... blech). I guess people don't realize that once they've paved over all the dirt, the water table is going to be totally FUBAR.

Kittamaru - you'd be welcome to come visit sometime when the weather is nicer. It's driving range, I think. Right now, it's not fit for man nor beast out there and I'm struggling to keep a couple buildings warm enough so things don't freeze and break. I'm not a fan of doing plumbing work!

KittamaruAshes to ashes, dust to dust. Adieu, Sciforums.Valued Senior Member

Kittamaru - you'd be welcome to come visit sometime when the weather is nicer. It's driving range, I think. Right now, it's not fit for man nor beast out there and I'm struggling to keep a couple buildings warm enough so things don't freeze and break. I'm not a fan of doing plumbing work!

Click to expand...

I hear ya! It's been positively frosty, especially with the wind chill!